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Wireshark is easy for using as a packet inspection tool, in additional the 
feature of packets colorizing is easy for a various type of traffic. This paper 
exemplifies how Wireshark is used in networks as a tool. To clarify the 
effectiveness of malicious packet identification in any network, an experiment 
was conducted. Using the Wireshark program, testing was carried out in real 


time through experimentation and analysis. Inferences were drawn that clearly 

show Wireshark's capabilities as a tool in a powerful system for discovering 
Keywords: the breach. The functionality of Wireshark is to analyze the network protocol 
and its open-source features for enabling the addition of likely tasks in the 
detecting devices were emphasized. Wireshark's skills for handling and 
interpreting packet data have been highlighted and the access control list 
(ACL) filtering has been the main application of Wireshark. 
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1. INTRODUCTION 

Recently, mobile gadgets have seen a lot of use. Therefore, research in the fields of computer and 
mobility is crucial. Users of such devices have security as one of their top concerns [1]. A fundamental worry 
for network security, is the improbable and undesired admission of malevolent users and or harmful data 
packets [2]. The fundamental building blocks of every communication system are data packets. Thus, network 
security also entails data packet security. The most fundamental building element of communication, a data 
packet streamlines the flow of its countless duplicates to convey data from one device to another [3]. A data 
segment, which also contains other data like as the protocol being used, the target hardware address, and 
contains a data packet. In a nutshell, by examining its contents, it is possible to determine the identity of packet 
pending from any shady source. Packet sniffing is the study of identifying and only examining a data segment's 
and its packet's contents. Packet logging is the process of compiling this data into a log. A packet analyzer is a 
piece of computer hardware or software that may intercept and record data traveling over a digital network or 
a section of one [4]. The sniffer intercepts each packet as data streams pass through the network, decodes it, 
and then examines its content in accordance with the necessary specifications [5]. 

Keeping an eye on network resources in order to spot unusual activity and abuse is the aim of packet 
sniffing. This idea has had a sharp increase in acceptance and integration into the infrastructure for overall 
information security [6], [7]. With the advent of computer security risk, the detection as a concept was created. 
[7]-[9] included crucial data that might be useful for detecting abuse and comprehending user behavior. Host- 
based intrusion detection was introduced as a result of his work. Another intrusion detection system has been 
disclosed by the authors of [10]. This project built an intrusion detection system (IDS) that compared audit data 
to predefined patterns to analyze it. The concept of network intrusion detection has been defined in [11], [12]. 
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In the early 1990s, commercial development of intrusion detection technologies started. With its host-based 
Stalker family of IDS tools, Haystack labs was the first commercial IDS tool provider. In spite of this, 
commercial intrusion detection systems took a while to develop and didn't really take off until the second half 
of the decade. 

Wireshark is used in this research to examine the operation of a packet analyzer as well as packet 
sniffing and logging techniques, Figure | showed the Wireshark architecture. A popular open source network 
protocol analyzer is called Wireshark [13], [14]. An IDS is any packet sniffer or logger with the additional 
capability of identifying hostile network activity [15]-[19]. Additionally, an IDS typically maintains a database 
of known attack signatures and may identify when a signature and recent or current behavior are closely 
matched by comparing patterns of activity and traffic [20]-[22]. 

The IDS can then send out alarms or alerts at that point. A pattern that fits a known malware is called 
a signature. In this study, a test problem was created, and on the basis of the experiment's findings, reasonable 
inferences regarding Wireshark's potential as an IDS were made. 


Figure |. Wireshark architecture 


2. WIRESHARK AND SNIFFING TOOLS 

The world's most popular network protocol analyzer is Wireshark [23], [24]. It has a wide range of 
supported operating systems, including Windows, OS X, Linux, and UNIX, and provides a powerful feature 
set. Network experts, security experts, developers, and teachers all over the world commonly utilize it. It is 
available as open source for free and is released in accordance with the rules of the GNU General Public 
License version 2. It is an illustration of a disruptive technology developed and supported by a global group of 
protocol experts. Wireshark used to go by the name ethereal. The software package Wireshark is a free packet 
sniffer. The features of Wireshark allow for the collection, viewing, and analysis of data packets [25]. The 
extensive wireless protocol analysis functionality offered by Wireshark enables administrators to troubleshoot 
wireless networks. Administrators can use Wireshark to gather traffic "from the air" and decode it into a format 
that makes it simpler to spot the issues causing sluggish performance, unpredictable connectivity, and other 
common troubles. 

It's not too difficult to set up traditional network sniffing on an ethernet network. A new packet of 
traffic has been recorded begins on a Wireshark-running analysis workstation in a shared environment. There 
are numerous wired and wireless methods, encompassing a wide range of topologies and protocols, for 
connecting a node to a network. Users of Wireshark have the option to record all packets passing through a 
specific interface at a specific time and over the entire network. The capture tool is one of the main tools. Any 
of the nodes' available interfaces can be made capture-able by using the interface as seen in Figure 2. The 
options tab offers a more complex approach for each individual interface. The possibilities of browsing through 
packets in the capture list are provided by the go menu items. 
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Figure 2. The capture tool 


aa ® Options... Ctrl+K 
Start Ctri+E 
5 Stop Ctri+E 
i Restart Ctrl+R 
i 2 0.000000 Capture Filters... 
3 0.010864 Refresh Interfaces F5 
- 4 0.010963 = TOT 
| 5 0.020321 142.250.186.74 
3. LOGGING TOOLS 


In terms of log maintenance, Wireshark surpasses other IDS or intrusion prevention systems (IPS) 
devices with incredible versatility. Depending of the network and the devices capacity, log file can be collected 
hourly or weekly. Consequently, it is simple to collect files via a fast dispensation node and transmit them to a 
moderate database. Depending on the analyzer tool used, as shown in Figure 3, an additional interesting story 
is the capability for exporting the capture into a variability of other and easier-to-understand formats, such as 
plain text, and CSV. 
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Figure 3. Tools for analyzer 
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One is used when Wireshark captures packets, while the other is used when it displays packets. Show 
filters allow the administrator to focal point on the packets that attention them though obscuring the ones that 
aren't of interest right now. Packets maybe selected according to the protocol, the existence of a field, its value, 
and a comparison of fields. Right above the column display part of Wireshark is a strip that filters the show. 
Here you can enter expressions for filtering the frames, internet protocol (IP) packets, or transmission control 
protocol (TCP) that Wireshark displays from a packet capture (PCAP) (Figure 4). You can also select this to 
give you far more in-depth definitions. 
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Figure 4. Place of the display filter 
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In response to the text you have entered in the display filter, Wireshark provides a roll of offers. As 
illustrated in picture 5, the demonstration is not yet established while the display filter strip is yet red. If the 
display filter bar goes green, the expression was recognized and ought to function as intended. The expression 
has been approved if the display filter bar becomes yellow color, but it probably won't function as planned, as 
seen in Figure 5. In additional as shown in Figure 6 for more focusing in case of using http protocol. As shown 
in Figure 7, we can see the work of the Wireshark correctly, and the screen shows the type of the protocol, its 
length, source, distance, and information. 
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Figure 5. Display filter in Wireshark gives the suggestion according to what you need 


Af traffic-for-wireshark-column-setup.pcap _ x 


File Edit View Go Capture Analyze Statistics > 
24eac@iPRercevx»seF seq: 
).request Expression... + 


Time Sre Port D “| 
J» 2018-08-03 19:06:20 192.168.10.195 49714 1 
2018-@8-@3 19:06:20 192.168.10.195 49727 5 


| 
ARAR AR AR ARR LAR ARR AR AR ARR Ansan 


< > 


Frame 6: 493 bytes on wire (3944 bits), 493 byte 
Ethernet II, Src: HewlettP_1c:47:ae (00:08:02:1« 
Internet Protocol Version 4, Src: 192.168.10.195 “ 


= 5 — . - ~ came e 


< > 


Figure 6. Display filter accepts a term of expression 
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Figure 7. Sample Screenshot of Wireshark in action 
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4. POST SNIFFING ANALYSIS 

This section examines the display filters, which are the second category of filter. The first one, 
"filtering while capturing," has already been addressed. Applications for display filters include error detection, 
packet sniffing, and pattern recognition. It's important to note that, unlike a typical IDS/IPS, Wireshark does 
not automatically produce alarms and notifications. As an alternative, actions that were taken through a capture 
can be seen and examined in a while, either by hand or with the aid of other apps. The expert information table 
(Figure 8) can be used as a tool to support the aforementioned arguments because it clearly denotes checksum 
mistakes, redundancy checks, and lost segment accounting. In case of taking right click for the TCP adress 
many filters will apper as shown in Figure 9. 

It can attend in on nodes talking as they move packets in two different ways in the specified direction 
in the captured file. The statistical IO graph is the second important instrument (Figure 10). These graphs can 
display the overall network traffic flow or just the traffic for a certain set of protocols. Wireshark is one of the 
easiest to use sniffing software as well as it also has the option of exhibiting distinct post-filtered capture on 
the graph in different colors to allow simple recognition. Either the system clock or the first packet can be used 
to set the time. When we merge multiple capture files taken at various times, we may effectively use the system 
clock time. The timestamp is another statistic tool that merits mentioning in this context; it allows users to time 
stamp each packet as they see fit. The purpose of the experimentation below is to determine whether the node 
(server), has ever received an unauthorized packet from an external node, also known as an experimental node, 
which stands in for a single or a set of bad nodes. We currently use four nodes and each of which represents a 
potential one or group of nodes in the scenario of a real time as shown in Figure 11. 
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Figure 10. The IO graph tool 
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Figure 11. Experimental setup 


The region z represented the control traffic flow at the beginning of network and demonstrations no 
sharp peaks as shown in Figure 12. On the other hand, in the region y we can get the movement in the network 
between internal and external node and additional to this from the internal node to the server. In additional in 
the region x, the bad activity begins at this time and go together with UDP action in the packet capture pane 
and the sharp peaks in the I/O. 
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Figure 12. Graph showing 3 regions 


5. CONCLUSION 

The aforementioned experiment proves that IDS/IPS devices are necessary in any conventional 
network. Wireshark's skills for handling and interpreting packet data have also been highlighted. In this 
experiment, ACL filtering has been the main application of Wireshark. The Wireshark tool offers a wide range 
of additional filtering options, as well as filtering based on the protocols being used and also according to 
packet size, and sub-strings. Therefore, Wireshark can transform into global detection software with the right 
use of filtering commands and other utilities. 
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